Author: Travis Good, CEO of Haekka
Hi Jane Community,
My name is Travis Good, and I’m the CEO of Haekka, a modern training platform that makes HIPAA training simple for admins and effective for users. In this article, I’ll be sharing all about HIPAA and what you can do to ensure your practice is compliant.
But first, I want to let you in on a little secret… HIPAA isn’t hard! It’s just a set of things you need to put in place, and we hope this article helps you do exactly that. So, without further ado, let’s dive right in!
Does HIPAA apply to my practice?
The short answer — yes! If you work for or manage a practice that electronically transmits health information in the United States, it is exceedingly likely HIPAA applies to you and that your practice needs to comply with HIPAA standards. If HIPAA applies to your practice, this article outlines the steps you can take to get started.
Who has to comply with HIPAA?
Let’s start by looking at who has to comply with HIPAA. There are four primary categories of organizations that need to comply with HIPAA:
- 🏢 Health Plans. Individual and group insurance falls into this category.
- 🏠 Healthcare Clearinghouses. These organizations process healthcare transactions.
- 👩⚕️ Health Care Providers. Yep, that’s you! It is worth quoting HIPAA here: Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- 👩💻 Business associates. These are individuals or organizations that perform functions for any of the above. You probably guessed it, that’s Jane!
Alright, so we know that HIPAA applies to every health care provider that electronically transmits health information in the United States, but how do we work towards and maintain compliance?
Great question! 💡 Let’s cover that now.
HIPAA compliance in 5 steps
There are a lot of approaches to HIPAA. Some people hire a consultant, some people buy a software service, and some people go it alone. The US Department of Health and Human Services (HHS) has a helpful framework for small practices that break down the necessary activities into five steps that do not have to be followed sequentially.
I’ve included them here. ⤵️ Feel free to scroll through the page or hop to a particular step that interests you:
🙋 Step 1. Assign a person to be in charge of privacy policies.
📋 Step 2. Provide patients with a Notice of Privacy Practices (NPP).
✍️ Step 3. Create and implement privacy policies and procedures.
🤝 Step 4. Train employees on privacy procedures and security awareness.
🔓 Step 5. Secure protected health information (PHI).
One important aspect of HIPAA is that it is not meant to be implemented in a one-size-fits-all manner. HIPAA is largely about managing the risk to PHI. Small practices have much less PHI and are typically lower risk than large health systems or insurance companies. As a small practice, the ways in which you address the above five steps will be different, and often a lot less involved in terms of time and money, than how a larger entity would address them.
🙋 Step 1. Assign a person to be in charge of HIPAA
This is the simplest of the five steps. The person you appoint to be in charge of privacy can be a staff member or practice manager. From HHS: The privacy official at a small physician practice may be the office manager, who will have other non-privacy-related duties. This is the person that will oversee the other 4 steps to address HIPAA.
Curious who belongs to the Privacy & Security Team at Jane? 💙
📋 Step 2. Notice of privacy practices (NPP)
NPPs, similar to agreements you sign online for digital services, are often verbose and not reader-friendly. The goal of an NPP is to provide patients with information about the data that your practice collects, how that data is used and secured, what rights that person has on their data, and who to contact with questions or issues concerning health data.
You do not have to create this from scratch. HHS provides templates in both English and Spanish available as PDFs or Word documents. There are instructions for the parts of the templates you should customize to fit with your practice and procedures.
Executing NPPs with patients/customers is an ongoing process. Many practices require the execution of NPPs at every visit to ensure the most up-to-date NPP version is used. Signed NPPs should be stored with your records and treated like a part of the medical record.
💡Jane can help share your NPPs with your clients and collect consent in a few ways:
- Through an intake or consent form;
- A chart template, with your NPP language and an added signature line for your clients to sign at the time of treatment; and,
- If your clients prefer paper, you’ll have the option to scan that into your clients’ files.
✍️ Step 3. Policies and procedures
Creating and adopting privacy policies and procedures can seem like the most daunting part of complying with HIPAA. The policies and procedures that you need for your practice should apply to the work your staff does and should prevent disclosing PHI to anybody that is not authorized to see it. You do not need policies and procedures for things that are not relevant to your practice.
Some examples of policies that often apply to small practices are below:
- Data integrity - procedures for handling of sensitive data, in particular PHI.
- Data access - the most important aspect of this is not sharing accounts.
- Device security - for computers and mobile devices.
- Communication - what channels are allowed for sending and receiving PHI.
- Breach notification - how you handle a breach and notify impacted individuals.
- Training - when and how you train staff on HIPAA.
Many people buy templates or pay consultants to create policies and procedures for them. There are free options, though they are likely not properly applicable to your practice. Writing them yourself is not hard but it does take time.
As with all things HIPAA, HHS is explicit that you do not need the same policy and procedure library that a large organization needs: The policies and procedures of small providers may be more limited under the Rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.
🤝 Step 4. Training
HIPAA requires two types of training, outlined below. These pieces of training should be performed on a regular basis and the industry standard is annually.
- Privacy Training. There are different ways to meet this requirement. Some practices train on the HIPAA rules themselves and some simply require practice staff to review and acknowledge policies and procedures (HHS allows both). The good news? We have free HIPAA training available here! 🥳
- Security Awareness. This can be addressed with off-the-shelf training for a myriad of vendors. There are multiple free options here and here.
The most critical aspect of training is to document that it has been done. One easy way to do this is to use a spreadsheet or Google Sheet. One of the benefits of buying training is that it typically takes care of tracking for you.
🔓 Step 5. Secure protected health information
Almost 100% of practices have digitized, meaning the vast majority of PHI is now digital. If your systems and data are local, you need to ensure your devices and applications are secure. Some core HIPAA requirements include unique logins for each employee, turning on auditing features, conducting regular backups of critical data, and encrypting all stored PHI.
📣 If your practice uses cloud-based tools like Jane, securing PHI is considerably easier as you lean on your vendors for the majority of device and application security requirements.
One of the most important aspects of digital PHI security in 2022 is ensuring your practice staff is using approved tools to store and send PHI. If you do not want staff to store PHI, including clinical photos, on personal phones or send PHI via text message, ensure staff is trained not to do these things.
HIPAA’s security rule mandates that PHI is protected in transit and secured.
Lucky for you, anything sent from Jane to your client is secured, both in transit and through the client’s password-protected client portal. Check out the video below to see how!
Whether for storing or sending, you need to have business associate agreements for any apps that you use for PHI.
🔁 Revisit the five steps annually
HIPAA is not something you only think about once. You should review the five steps above on a regular basis and the industry standard is annual.
During this process, you should document any steps your organization took to protect PHI, or if nothing needed to change from the previous year. Any alterations to your systems, policies, or procedures should be recorded. This process can be documented using anything from a Word Document to a Google Sheet or even a simple web form. This annual review process addresses requirements in HIPAA for regular assessments.
So, what’s next?
Getting started! There are a lot of good resources out there you can leverage to accelerate your Five HIPAA steps. As a first step, you could simply review the five steps and document what you have and don’t have in place. From there, you can start to address any gaps in things like training or policies and procedures. Regardless of how you start, the most important thing is to get your compliance initiatives into motion.
- Privacy Rule Summary
- Security Rule Summary
- HIPAA Resources for Smaller Practices
- HIPAA Overview Presentation by CMS
- Free HIPAA training
Jane’s HIPAA resources: